====================================================================== Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611) Topic : SCO OpenServer crontab format string vulnerability Date : June 04, 2002 Credit : KF dotslash[at]snosoft.com Site : http://www.snosoft.com ====================================================================== .: Description: --------------- The SCO OpenServer crontab application is installed setgid cron and can be used to schedule execution of programs and scripts. This implementation of crontab contains a format string vulnerability which can be used to execute code in order to elevate privileges: $ crontab %x%x%x%x crontab: cannot open file 8047f08804a5578047cd48047cd4 Due to the nature of crontab it is very likely that ones 'cron' group privileges have been obtained it is possible to get higher privileges .: Impact: ---------- Local users can elevate their privileges trough this vulnerability. .: Systems Affected: -------------------- SCO/Caldera OpenServer 5.0.6 .: Solution: ------------ The vendor was notified and is diligently working on a fix. Until such a fix has been made available disable crontab or deny access from untrusted sources to the affected systems. ======================================================================
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 16:36:59 PDT